Using Autopsy for Digital Forensic Analysis on the Acorn

Application Type: GUI-based Digital Forensics Platform
Primary Use: Analysing forensic disk images, recovering artefacts, and reconstructing user activity
Pre-installed in the Forensics Hub

Overview

Autopsy, running on the Acorn forensic workstation, provides digital forensic examiners with a reliable and intuitive interface for analysing forensic disk images. Together, they support efficient user activity reconstruction, recovery of deleted files, and detection of data exfiltration. This use case illustrates how an examiner uses Autopsy to investigate a suspected insider breach using a standard .E01 forensic image.

Case Context

A corporate security team suspects that a departing employee has removed confidential financial documents from their laptop. A forensic examiner is tasked with investigating the case. The Acorn’s integrated toolkit is used to acquire an .E01 image of the system using Guymager, and then load it directly into Autopsy for analysis.

1. Launching Autopsy and Creating a Case

The examiner launches Autopsy from the Acorn’s Forensics Hub and creates a new case. Case metadata including case number, examiner name, and evidence description is entered.

Screenshot: Autopsy start screen with “Create New Case” selected

2. Loading the E01 Forensic Image

The .E01 image of the employee’s system is selected as the data source. Autopsy automatically chains the segmented files (e.g., .E01 and .E02) and begins parsing the file system.

Screenshot: Evidence image loading screen showing .E01 image path and segment detection

Screenshot: Module selection screen with Keyword Search, File Type ID, and Embedded Extractor enabled

3. Conducting Keyword and File Searches

Using Autopsy’s keyword search module, the examiner loads custom keyword lists relevant to the company’s confidential documents and personnel. With the “Add text to Solr Index” option enabled, the examiner ensures the .E01 image content is indexed directly. Filters are used to narrow results to sensitive file types (e.g., .xlsx, .pdf, .docx) and detect deleted or recently accessed documents.

Screenshot: Keyword search results from .E01 image showing matches on terms like “confidential” and company emails.
Recovered files are tagged and exported for deeper examination

4. Timeline Analysis of File Activity

Autopsy’s timeline module is used to visualise when key files were created, modified, accessed, or deleted. The examiner identifies spikes in file activity near the employee’s resignation date, suggesting periods of intensified document handling and potential data movement.

Screenshot: Timeline showing increased access to sensitive files

5. Artefact Analysis and Sensitive Data Exposure

By analysing system artefacts, the examiner identified evidence of sensitive data exposure. Autopsy revealed traces of credit card information, suggesting personal or corporate data may have been stored insecurely or transferred.

Additionally, keyword searches uncovered multiple email addresses, contact information, and potential account credentials scattered across user files and browser cache.

This analysis supports the hypothesis of data exfiltration through cloud services or webmail, even without direct USB transfer evidence.

Screenshot: Communication artefacts showing recovered credit card identifiers and email addresses

6. Web and Email Activity

Browser artefacts indicate that the employee accessed cloud storage and webmail platforms. Web history and cached content confirm documents were uploaded or emailed externally.

Screenshot: Browser history showing logins to Gmail and Google Drive

Screenshot: Email analysis indicating attachments sent via webmail

7. Reporting and Documentation

The examiner uses WPS Writer on the Acorn to compile a detailed report. Key sections include:

• Lists of keyword hits and matched files
• USB activity logs
• Webmail and cloud service use
• Screenshots from Autopsy for visual evidence

Why Autopsy + The Acorn Works

Feature	Benefit
All-in-One Workflow	Imaging, analysis, and reporting are completed on a single forensic workstation.
Native E01 Support	No need for conversion—Autopsy reads split .E01 images directly.
Lightweight + Portable	Ideal for field investigators or small teams.
Open Source Integration	Autopsy works alongside other pre-installed tools like Guymager, GParted, and ddrescue.

Learn more about Autopsy

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.